Walkthrough: Constraining Access to Table Data by Using Security Policies

In this article

In this topic you enhance a pre-existing security policy to reduce the range of data records that roles and users can access in the CustTable table and the SalesTable table. You do this by adding the two tables under the Constrained Tables node of the pre-existing policy.

The security policy already exists for the CustGroup table. The pre-existing security policy is named MajorCustomersPolicy. The PrimaryTable property of the policy names the CustGroup table.

Foreign key relations are used by the policy to determine which data records the users are authorized to access on the constrained tables. The CustGroup table is a parent of the CustTable table, which has a foreign key field that references the primary key of the CustGroup table. And the CustTable table is a parent of the SalesTable table.

Add to the List of Constrained Tables on the Policy

You can add tables to the list under the Constrained Tables node of a security policy. The policy denies access to some data records in the constrained tables. The particular records that are denied are determined by the foreign key relationships among the tables in the policy. A record on a constrained table can be accessed only if the foreign key value in the record matches the primary key value of a record that can be accessed in the primary table of the policy.

You can add the CustTable table as a constrained table by following these steps:

Right-click the Constrained Tables node on policy MajorCustomersPolicy, and then click New > Add table by relation.

Set the Table property to CustTable.

Set the property TableRelation to CustGroup.

Chains of Constrained Tables in a Policy

In this section you constrain the SalesTable table. You constrain it by associating it to the constrained CustTable table that you added in the previous section. The SalesTable table is related to the CustGroup table indirectly through the CustTable table.

Constrain Views by the Policy

There are no named relations between a view and a table, the way there are between two tables where a formal foreign key is defined. However, in a security policy under its Constrained Tables node, you can define a relation between a view and one of the tables that the view references. You do this by setting the Value property of the view to a value that has the following format: (Table.FieldName=View.FieldName). You can also enter multiple field relations in the following format: ((Table.Field1=View.Field1) && (Table.Field2=View.Field2)).

In the following steps you enhance the security policy to constrain access to data from a view:

Set the Value property of the view to (smmCustomerView.Party = CustTable.Party).

Verify that the Security Policy is Enforced on Related Tables and Views

As an application user, you can now verify that the security policy that you have created is enforced by the system.

Manually assign an application user to the Sales manager role by using the System administration form. For information about how to assign a user to a role, see Assign users to security roles.

Log on to the system as an application user and run the AX32.exe client application from the Command Prompt window.

Switch to company Contoso Entertainment Systems (West) (CEU).

Switch to the module Accounts Receivable and open Common > Customers > All Customers. Verify that only customers in customer group 20 are shown.
To confirm you can personalize the form and add the Customer.CustomerGroup field to the form.

Verify that the application user can only view the Major customers customer group, as shown in the following image.

The customer group that the application user can view

Switch to the module Sales and marketing and open Common > Sales orders > All sales orders.

Verify you can only see the sales orders for customers of the Major customers group.

The sales orders that the application user can view

Next Steps

Next you can associate the security policy to a role. The following properties on the security policy are involved: